前两天,闪电狼兄给了一个Themida_1.0.0.5加壳的新版绝影凯旋vip1.65,
狼把它目录中一个驱动NTProcDrv.sys让偶分析分析,注意这不是Themida_1.0.0.5驱动,不过它也保护这Themida加壳的主程序.早前错认了!
由于偶是菜鸟加壳盲.只好"雾"里看花去捏裸笨的NTProcDrv.sys.
作者声明: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
由于我误解了狼兄错认它是Themida的驱动.错误改过来了!
谢谢7楼西裤兄,不过代码全部是自己逆地.
逆向一下:
1:设备对象自定义扩展结构体如下:
typedef struct _DeviceExtension {
ULONG size; //0x0
PHANDLE EventHandle; //0x04
PRKEVENT KernelEvent; //+0x08
HANDLE ParentId; //+0x0C
HANDLE ProcessId; //+0x010
ULONG IsCreate; //+0x014
} NTProcDrvDeviceExtension;
2:IRP_MJ_DEVICE_CONTROL中是点关键东东.
3:IoCreateNotificationEvent 建立事件通知与下面的回调和exe交互
4:PsSetCreateProcessNotifyRoutine 进程事件回调
由于偶是菜鸟加壳盲,不敢碰Themida_1.0.0.5加壳的EXE.只好找软肋逆.
代码如下:
//////////////////////////////////////////////////////////////////////////////
// * NTProcDrv.sys *
// * be reversed by qiweixue[BCG] *
// * CopyRight:http:\\www.pediy.com *
/////////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#define NTProcDrv_IOCTL_METHOD_BUFFERED 0x22E000
typedef struct _DeviceExtension {
ULONG size; //0x0
PHANDLE EventHandle; //0x04
PRKEVENT KernelEvent; //+0x08
HANDLE ParentId; //+0x0C
HANDLE ProcessId; //+0x010
ULONG IsCreate; //+0x014
} NTProcDrvDeviceExtension;
VOID
NTProcDrvUnloadDriver(
IN PDRIVER_OBJECT DriverObject
);
NTSTATUS
NTProcDrvCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
NTProcDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
NTProcDrvNotifyRoutine (
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
UNICODE_STRING EventDeviceNameString;
PDEVICE_OBJECT GloalDeviceObject;
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
HANDLE HEventHandle;
PKEVENT PEnvent;
PDEVICE_OBJECT deviceObject = NULL;
NTSTATUS ntStatus;
NTProcDrvDeviceExtension *DevExt=NULL;
RtlInitUnicodeString( &DeviceNameString, L"\\Device\\NTProcDrv" );
RtlInitUnicodeString( &LinkDeviceNameString,L"\\DosDevices\\NTProcDrv");
ntStatus = IoCreateDevice(
DriverObject,
sizeof(NTProcDrvDeviceExtension),
&DeviceNameString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&deviceObject );
if (!NT_SUCCESS( ntStatus ))
{
return ntStatus;
}
ntStatus = IoCreateSymbolicLink(
(PUNICODE_STRING) &LinkDeviceNameString,
(PUNICODE_STRING) &DeviceNameString
);
if (!NT_SUCCESS(ntStatus))
{
IoDeleteDevice(deviceObject);
return ntStatus;
}
GloalDeviceObject=deviceObject;
DriverObject->DriverUnload =NTProcDrvUnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = NTProcDrvCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = NTProcDrvCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NTProcDeviceControl;
RtlInitUnicodeString(&EventDeviceNameString,L"\\BaseNamedObjects\\NTProcDrvProcessEvent");
PEnvent=IoCreateNotificationEvent(
&EventDeviceNameString,
DevExt->EventHandle
);
DevExt=(NTProcDrvDeviceExtension*)(deviceObject->DeviceExtension);
DevExt->KernelEvent=PEnvent;
KeClearEvent(DevExt->KernelEvent);
ntStatus= PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)NTProcDrvNotifyRoutine,0);
return ntStatus;
}
void
NTProcDrvUnloadDriver(
IN PDRIVER_OBJECT DriverObject
)
{
PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
IoDeleteSymbolicLink( &LinkDeviceNameString );
if ( deviceObject != NULL )
{
IoDeleteDevice( deviceObject );
}
}
NTSTATUS
NTProcDrvCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
NTSTATUS
NTProcDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS ntStatus;
ULONG IoCtlCode;
PIO_STACK_LOCATION IrpStack;
ULONG inBufLength;
ULONG outBufLength;
PVOID InOutBuf;
NTProcDrvDeviceExtension *DevExt=NULL;
ntStatus=STATUS_UNSUCCESSFUL;
IrpStack = IoGetCurrentIrpStackLocation(Irp);//+60
outBufLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;//+4
inBufLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;//+8
IoCtlCode =IrpStack->Parameters.DeviceIoControl.IoControlCode; //C
InOutBuf = Irp->AssociatedIrp.SystemBuffer;
switch(IoCtlCode)
{
case NTProcDrv_IOCTL_METHOD_BUFFERED:
if(outBufLength<0x0C)break;
DevExt=(NTProcDrvDeviceExtension*)DeviceObject->DeviceExtension;
*((PLONG)InOutBuf)=(ULONG) (DevExt->ParentId);
*((PLONG)InOutBuf+1)=(ULONG)(DevExt->ProcessId);
*((PLONG)InOutBuf+2)=(char)(DevExt->IsCreate);
ntStatus=STATUS_SUCCESS;
break;
default:
Irp->IoStatus.Status = ntStatus;
if(!NT_SUCCESS(ntStatus))
{
Irp->IoStatus.Information = outBufLength;
}
Irp->IoStatus.Information = outBufLength;
}
IofCompleteRequest(Irp,IO_NO_INCREMENT);
return ntStatus;
}
void
NTProcDrvNotifyRoutine (
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)
{
PDEVICE_OBJECT deviceObject=NULL;
NTProcDrvDeviceExtension *DevExt=NULL;
deviceObject=GloalDeviceObject;
DevExt=deviceObject->DeviceExtension;
DevExt->ParentId=ParentId;
DevExt->ProcessId=ProcessId;
DevExt->IsCreate=(char)Create;
KeSetEvent(DevExt->KernelEvent,0,0);
KeClearEvent(DevExt->KernelEvent);
return ;
}
欢迎找bug.idb文件.c文件,源驱动都在这里
http://www.live-share.com/files/142696/NTProcDrv_sys_c.rar.html
--------------------------------------------------------
我是阿赖耶识
- 标 题: 一个小型的用于监视进程产生和撤销驱动逆向分析
- 作 者:qiweixue
- 时 间:2007-01-22 13:13
- 附 件:ntprocdrv_sys_c.rar
- 链 接:http://bbs.pediy.com/showthread.php?t=38336
